KBI 310766 New Feature: Argent AT Global Security Objects
Version
Argent Advanced Technology 3.1A-1401-A and later
Date
Monday, 9 Dec 2013
Summary
Argent AT 3.1A-1401-A implements Global Security Objects (GSO) to manage the security of folders and objects, complementing the same features in Argent AT GUI
For a detailed white paper showing how Argent AT Global Security Objects are used, see:
Argent AT Global Security Objects – Best Practices
Technical Background
A command-line interface is also available — for a printable white paper of this documentation, visit:
See Argent AT Global Security Objects – Command-Line Interface
ARGENT_GSO_CLI
This utility manages Global Security Object (GSO)
Only Argent AT product administrator can use this utility successfully
- To add or update group/account access for a GSO:
ARGENT_GSO_CLI -p product -n gso_name [-s group_or_account:denied|view|full]
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the GSO name. If GSO does not exist, a new GSO should be created
Argument ‘-s‘ specifies the access right for a group or account, ‘denied‘ for Denied, ‘view‘ for Read Only, and ‘full‘ for Full Access
Multiple ‘-s‘ arguments can be used to set access for multiple groups and accounts
- Remove a group/account access from a GSO:
ARGENT_GSO_CLI -p product -n gso_name [-r group_or_account]
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the GSO name
Argument ‘-r‘ specifies the group or account to remove from the GSO
- Delete a GSO definition:
ARGENT_GSO_CLI -p product -n gso_name -del
Argument ‘-p‘ specifies the Argent AT product.It is required to determine product administrator
Argument ‘-n‘ specifies the GSO name
Argument ‘-del‘ specifies the GSO should be deleted
-
Verify a group or account against a GSO definition:
ARGENT_GSO_CLI -p product -n gso_name -v group_or_account
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the GSO name
Argument ‘-v‘ specifies the group or account for verifying access of the GSO
Note: The utility only checks the explicit settings when checking an account
In other words, the utility does not query Active Directory for groups that the account belongs to
ARGENT_SECURITY_CLI
This utility manages security settings of folder and object in the selected Argent AT product
Only Argent AT product administrator can use this utility successfully
- To reset product administrator to product service account:
ARGENT_SECURITY_CLI -p product -reset_admin
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-reset_admin‘ specifies the operation. As only product administrator can manipulate product security
This is equivalent to reset to factory default
Note: Customer must logon as the product service account to reset it successfully
-
Set object or folder security using Global Security Object (GSO):
ARGENT_SECURITY_CLI -p product -n object_name -type type -s gso -gso
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the object or folder name
Argument ‘-type‘ specifies the object type. It can be one of following values:
- node (CMDB-X node)
- folder
- rule
- relator
- alert
- mg (Monitoring Group)
- ard (Automatic Report Distribution)
- macro
- cal (Calendar)
Argument ‘-gso‘ specifies that GSO is used
Argument ‘-s‘ specifies the GSO name
-
Remove GSO from security of object or folder
ARGENT_SECURITY_CLI -p product -n object_name -type type -r gso -gso
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the object or folder name
Argument ‘-type‘ specifies the object type
Argument ‘-gso‘ specifies that GSO is used
Argument ‘-r‘ specifies the GSO name
- Set object or folder security using explicit group or account:
ARGENT_SECURITY_CLI -p product -n object_name -type type
[-s group_or_account:denied|view|full]
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the object or folder name
Argument ‘-type‘ specifies the object type
Argument ‘-s‘ specifies the access right for a group or account, ‘denied‘ for Denied, ‘view‘ for Read Only, and ‘full‘ for Full Access
Multiple ‘-s‘ arguments can be used to set access for multiple groups and accounts
-
Remove a group or account from security of Argent AT object or folder:
ARGENT_SECURITY_CLI -p product -n object_name -type type
[-r group_or_account]
Argument -p specifies the Argent AT product. It is required to determine product administrator
Argument -n specifies the object or folder name
Argument -type specifies the object type
Argument -r specifies a group or account to remove
-
Verify a group or account against the security of Argent AT object or folder:
ARGENT_SECURITY_CLI -p product -n object_name -type type
-v group_or_account
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-n‘ specifies the object or folder name
Argument ‘-type specifies the object type
Argument ‘-v‘ specifies a group or account to verify
-
Export Argent AT security to a CSV file:
ARGENT_SECURITY_CLI -p product -export csv
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-export‘ specifies the csv file path
-
Import Argent AT security from a CSV file:
ARGENT_SECURITY_CLI -p product -import csv
Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator
Argument ‘-import‘ specifies the csv file path
CSV Format
The Argent AT security export file is in CSV format
Each line can have one of the following format:
- object type<TAB>object name<TAB>gso
- object type<TAB>object name<TAB>group_or_account_1:option1,group_or_account_2:option2…
Note: The explicit account/group is specified in format of group_or_account:denied|view|full, while gso is just the name
The separator ‘:’ tells the difference. Multiple account/group names are separated by comma
A sample file is shown as follows:
Resolution
Upgrade to Argent Advanced Technology 3.1A-1401-A or later